Internal Documentation

Production Virtual Machine Hardening Policy

Purpose

This document outlines the security standards and configuration requirements for virtual machines (VMs) within our production infrastructure. These standards are designed to minimize security vulnerabilities and ensure consistent security practices across our VM fleet.

Scope

This policy applies to all virtual machines operated by the organization within the production environment.

Policy Requirements

Operating System Standards

  • All public facing VMs should run a stable version of Ubuntu, with the version number being equal or greater to the most recent LTS
  • Security patches must be applied at minimum every 14 days by means of the provisioning of a new base container
  • System updates must be automatically logged for audit purposes

System Monitoring and Auditing

Audit Daemon Configuration

  • Auditctl must be installed and configured on all VMs
  • The following events must be monitored and logged:
    • File system changes to critical system files
    • SSH connection attempts (successful and failed)
    • Privilege escalation events
    • Changes to system configuration
  • Alert reporting must be configured for:
    • Unauthorized privilege escalation attempts
    • Failed SSH authentication attempts exceeding defined thresholds
    • Modifications to critical system files

Antivirus Protection

  • ClamAV must be installed and configured on all VMs
  • Real-time monitoring must be enabled for:
    • File system changes
    • New file creation
    • File modifications
  • Virus definition updates must occur on every new deploy
    • All detected threats must generate immediate alerts

Network Security

Network Access Controls

  • VMs must be categorized as either:
    • Private: Accessible only through WireGuard VPN
    • Public: Limited exposure through Fly proxy
  • For public-facing VMs:
    • Only explicitly required ports may be exposed
    • All exposed ports must be documented and justified

Firewall Configuration

  • Host-based firewall must be enabled
  • Default deny all inbound connections
  • Explicit rules required for all allowed connections
  • Regular firewall rule audits must be performed

System Hardening

Package Management

  • Unnecessary system packages should be removed
  • Package installation requires approval process
  • Regular audits of installed packages must be performed

Service Management

  • Only required services may be enabled
  • All enabled services must be documented
  • Regular service audits must be performed

Review and Updates

  • This policy must be reviewed annually
  • Updates require peer approval
  • All changes must be made as pull requests in the handbook project

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.